Update Gradle.lockfile's

Author: ryanbrandenburg

.devcontainer/devcontainer.json

@@ -24,7 +24,7 @@
     "ghcr.io/devcontainers/features/node": "lts",
     "ghcr.io/devcontainers/features/go": "latest",
     "ghcr.io/devcontainers/features/ruby": "3.3.6",
-    "ghcr.io/devcontainers/features/rust": "latest",
+    "ghcr.io/devcontainers/features/rust": "1.86.0",
     "ghcr.io/devcontainers/features/dotnet": "latest",
     "ghcr.io/devcontainers/features/sshd:1": {
       "version": "latest"

gradle/Dockerfile

@@ -1,7 +1,43 @@
 FROM ghcr.io/dependabot/dependabot-updater-core
 
+# Install Java
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openjdk-11-jdk \
+    # avoids keytool usage
+    ca-certificates-java \
+    wget \
+    # we need to allow the dependabot user to write to these files for when update-ca-certificates is run
+    && chgrp dependabot /etc/default/cacerts  \
+    && chmod g+rw /etc/default/cacerts \
+    && chgrp dependabot /etc/ssl/certs/java/cacerts  \
+    && chmod g+rw /etc/ssl/certs/java/cacerts \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Gradle
+ENV GRADLE_HOME=/opt/gradle
+ENV GRADLE_VERSION=8.14
+ARG GRADLE_DOWNLOAD_SHA256=61ad310d3c7d3e5da131b76bbf22b5a4c0786e9d892dae8c1658d4b484de3caa
+RUN set -o errexit -o nounset \
+    && echo "Downloading Gradle" \
+    && wget --no-verbose --output-document=gradle.zip "https://services.gradle.org/distributions/gradle-${GRADLE_VERSION}-bin.zip" \
+    \
+    && echo "Checking Gradle download hash" \
+    && echo "${GRADLE_DOWNLOAD_SHA256} *gradle.zip" | sha256sum -c - \
+    \
+    && echo "Installing Gradle" \
+    && unzip gradle.zip \
+    && rm gradle.zip \
+    && mv "gradle-${GRADLE_VERSION}" "${GRADLE_HOME}/" \
+    && ln -s "${GRADLE_HOME}/bin/gradle" /usr/bin/gradle
+
 USER dependabot
 
+ENV PATH=/usr/bin/gradle:$PATH
+
+RUN set -o errexit -o nounset \
+    && echo "Testing Gradle installation" \
+    && gradle --version
+
 COPY --chown=dependabot:dependabot maven $DEPENDABOT_HOME/maven
 COPY --chown=dependabot:dependabot gradle $DEPENDABOT_HOME/gradle
 COPY --chown=dependabot:dependabot common $DEPENDABOT_HOME/common

gradle/lib/dependabot/gradle/file_updater.rb

@@ -6,6 +6,7 @@
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/gradle/file_parser"
+require "dependabot/gradle/file_updater/lockfile_updater"
 
 module Dependabot
   module Gradle
@@ -17,6 +18,7 @@ class FileUpdater < Dependabot::FileUpdaters::Base
 
       SUPPORTED_BUILD_FILE_NAMES = %w(build.gradle build.gradle.kts).freeze
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           # Matches build.gradle or build.gradle.kts in root directory
@@ -26,10 +28,12 @@ def self.updated_files_regex
           # Matches settings.gradle or settings.gradle.kts in root or any subdirectory
           %r{(^|.*/)settings\.gradle(\.kts)?$},
           # Matches dependencies.gradle in root or any subdirectory
-          %r{(^|.*/)dependencies\.gradle$}
+          %r{(^|.*/)dependencies\.gradle$},
+          %r{(^|.*/)?gradle.lockfile$}
         ]
       end
 
+      sig { override.returns(T::Array[::Dependabot::DependencyFile]) }
       def updated_dependency_files
         updated_files = buildfiles.dup
 
@@ -53,26 +57,33 @@ def updated_dependency_files
 
       private
 
+      sig { override.void }
       def check_required_files
         raise "No build.gradle or build.gradle.kts!" if dependency_files.empty?
       end
 
+      sig { void }
       def original_file
         dependency_files.find do |f|
           SUPPORTED_BUILD_FILE_NAMES.include?(f.name)
         end
       end
 
+      sig do
+        params(buildfiles: T::Array[Dependabot::DependencyFile], dependency: Dependabot::Dependency)
+          .returns(T::Array[Dependabot::DependencyFile])
+      end
       def update_buildfiles_for_dependency(buildfiles:, dependency:)
         files = buildfiles.dup
 
         # The UpdateChecker ensures the order of requirements is preserved
         # when updating, so we can zip them together in new/old pairs.
-        reqs = dependency.requirements.zip(dependency.previous_requirements)
+        reqs = dependency.requirements.zip(T.must(dependency.previous_requirements))
                          .reject { |new_req, old_req| new_req == old_req }
 
         # Loop through each changed requirement and update the buildfiles
         reqs.each do |new_req, old_req|
+          raise "Bad req match" if old_req.nil?
           raise "Bad req match" unless new_req[:file] == old_req[:file]
           next if new_req[:requirement] == old_req[:requirement]
 
@@ -92,23 +103,34 @@ def update_buildfiles_for_dependency(buildfiles:, dependency:)
           elsif new_req.dig(:metadata, :dependency_set)
             files = update_files_for_dep_set_change(files, old_req, new_req)
           else
-            files[files.index(buildfile)] =
+            files[T.must(files.index(buildfile))] =
               update_version_in_buildfile(
                 dependency,
                 buildfile,
                 old_req,
                 new_req
               )
           end
+
+          updater = Dependabot::Gradle::LockfileUpdater.new(dependency_files: files)
+          lockfiles = updater.update_lockfiles(buildfile)
+          files.concat(lockfiles) unless lockfiles.empty?
         end
 
         files
       end
 
+      sig do
+        params(
+          buildfiles: T::Array[Dependabot::DependencyFile],
+          old_req: T::Hash[Symbol, T.untyped],
+          new_req: T::Hash[Symbol, T.untyped])
+        .returns(T::Array[Dependabot::DependencyFile])
+      end
       def update_files_for_property_change(buildfiles, old_req, new_req)
         files = buildfiles.dup
         property_name = new_req.fetch(:metadata).fetch(:property_name)
-        buildfile = files.find { |f| f.name == new_req.fetch(:file) }
+        buildfile = T.must(files.find { |f| f.name == new_req.fetch(:file) })
 
         PropertyValueUpdater.new(dependency_files: files)
                             .update_files_for_property_change(
@@ -119,10 +141,17 @@ def update_files_for_property_change(buildfiles, old_req, new_req)
                             )
       end
 
+      sig do
+        params(
+          buildfiles: T::Array[Dependabot::DependencyFile],
+          old_req: T::Hash[Symbol, T.untyped],
+          new_req: T::Hash[Symbol, T.untyped])
+        .returns(T::Array[Dependabot::DependencyFile])
+      end
       def update_files_for_dep_set_change(buildfiles, old_req, new_req)
         files = buildfiles.dup
         dependency_set = new_req.fetch(:metadata).fetch(:dependency_set)
-        buildfile = files.find { |f| f.name == new_req.fetch(:file) }
+        buildfile = T.must(files.find { |f| f.name == new_req.fetch(:file) })
 
         DependencySetUpdater.new(dependency_files: files)
                             .update_files_for_dep_set_change(
@@ -157,8 +186,9 @@ def update_version_in_buildfile(dependency, buildfile, previous_req,
       def original_buildfile_declarations(dependency, requirement)
         # This implementation is limited to declarations that appear on a
         # single line.
-        buildfile = buildfiles.find { |f| f.name == requirement.fetch(:file) }
-        buildfile.content.lines.select do |line|
+        buildfile = T.must(buildfiles.find { |f| f.name == requirement.fetch(:file) })
+
+        T.must(buildfile.content).lines.select do |line|
           line = evaluate_properties(line, buildfile)
           line = line.gsub(%r{(?<=^|\s)//.*$}, "")
 
@@ -209,6 +239,7 @@ def updated_buildfile_declaration(original_buildfile_declaration, previous_req,
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def buildfiles
         @buildfiles ||= dependency_files.reject(&:support_file?)
       end

gradle/lib/dependabot/gradle/file_updater/lockfile_updater.rb

@@ -0,0 +1,67 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "shellwords"
+
+require "dependabot/gradle/file_parser"
+require "dependabot/gradle/file_updater"
+
+module Dependabot
+  module Gradle
+    class LockfileUpdater
+      extend T::Sig
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
+      def initialize(dependency_files:)
+        @dependency_files = dependency_files
+        @lock_files = T.let(dependency_files.select { |f| f.name.end_with?(".lockfile") }, T::Array[Dependabot::DependencyFile])
+      end
+
+      sig do
+        params(build_file: Dependabot::DependencyFile)
+        .returns(T::Array[Dependabot::DependencyFile])
+      end
+      def update_lockfiles(build_file)
+        base_dir = build_file.directory
+        # If we don't have any lockfiles in the build files don't generate one
+        [] unless @dependency_files.any? do |file|
+          file.directory == build_file.directory and file.name.end_with?(".lockfile")
+        end
+
+        updated_lockfiles = T.let(Array.new, T::Array[Dependabot::DependencyFile])
+        SharedHelpers.in_a_temporary_directory do |temp_dir|
+          for file in @dependency_files
+            FileUtils.mkdir_p(Pathname.new(file.name).dirname)
+            File.write(file.name, file.content)
+          end
+
+          command_parts = [
+            "gradle",
+            "build",
+            "--write-locks"
+          ]
+
+          command = Shellwords.join(command_parts)
+          begin
+            output = SharedHelpers.run_shell_command(command, cwd: File.join(temp_dir, build_file.directory))
+            for file in @lock_files.select{ |f| f.directory == build_file.directory }
+              f_content = File.read(File.join(temp_dir, file.name))
+              tmp_file = file.dup
+              tmp_file.content = f_content
+              updated_lockfiles << tmp_file
+            end
+          rescue SharedHelpers::HelperSubprocessFailed => e
+            return updated_lockfiles
+          end
+        end
+
+        return updated_lockfiles
+      end
+    end
+  end
+end

gradle/lib/dependabot/gradle/file_updater/property_value_updater.rb

@@ -1,17 +1,30 @@
 # typed: true
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/gradle/file_updater"
 require "dependabot/gradle/file_parser/property_value_finder"
 
 module Dependabot
   module Gradle
     class FileUpdater
       class PropertyValueUpdater
+      extend T::Sig
+
         def initialize(dependency_files:)
           @dependency_files = dependency_files
         end
 
+        sig do
+          params(
+            property_name: String,
+            callsite_buildfile: Dependabot::DependencyFile,
+            previous_value: String,
+            updated_value: String
+          )
+          .returns(T::Array[Dependabot::DependencyFile])
+        end
         def update_files_for_property_change(property_name:,
                                              callsite_buildfile:,
                                              previous_value:,

gradle/spec/dependabot/gradle/file_updater_spec.rb

@@ -29,11 +29,12 @@
       package_manager: "gradle"
     )
   end
+  let(:buildfile_folder) { "buildfiles" }
   let(:buildfile_fixture_name) { "basic_build.gradle" }
   let(:buildfile) do
     Dependabot::DependencyFile.new(
       name: "build.gradle",
-      content: fixture("buildfiles", buildfile_fixture_name)
+      content: fixture(buildfile_folder, buildfile_fixture_name)
     )
   end
   let(:dependencies) { [dependency] }
@@ -124,6 +125,61 @@
 
       its(:content) { is_expected.to include "version: '4.2.0'" }
 
+      context "with a lockfile" do
+        let(:buildfile_folder) { "buildfiles/lockfile/app" }
+        let(:buildfile_fixture_name) { "build.gradle.kts" }
+        let(:buildfile) do
+          Dependabot::DependencyFile.new(
+            name: "app/build.gradle.kts",
+            directory: "app/",
+            content: fixture(buildfile_folder, buildfile_fixture_name)
+          )
+        end
+        let(:lockfile) do
+          Dependabot::DependencyFile.new(
+            name: "app/gradle.lockfile",
+            directory: "app/",
+            content: fixture(buildfile_folder, "gradle.lockfile")
+          )
+        end
+        let(:dependency_files) { [buildfile, lockfile, Dependabot::DependencyFile.new(
+          name: "settings.gradle.kts",
+          directory: "/",
+          content: fixture(buildfile_folder, "..", "settings.gradle.kts")
+        )] }
+        let(:dependencies) do
+          [
+            Dependabot::Dependency.new(
+              name: "com.google.code.gson:gson",
+              version: "2.8.9",
+              package_manager: "gradle",
+              requirements: [{
+                file: "app/build.gradle.kts",
+                requirement: "2.8.9",
+                groups: [],
+                source: nil,
+                metadata: nil
+              }],
+              previous_requirements: [{
+                file: "app/build.gradle.kts",
+                requirement: "2.8.8",
+                groups: [],
+                source: nil,
+                metadata: nil
+              }]
+            )
+          ]
+        end
+
+        it "updates build.gradle.kts and gradle.lockfile" do
+          expect(updated_files.map(&:name)).to eq(["app/build.gradle.kts", "app/gradle.lockfile"])
+          expect(updated_files.first.content)
+            .to include('implementation("com.google.code.gson:gson:2.8.9")')
+          expect(updated_files.last.content)
+            .to include('com.google.code.gson:gson:2.8.9=runtimeClasspath')
+        end
+      end
+
       context "with kotlin" do
         let(:buildfile_fixture_name) { "build.gradle.kts" }
 

gradle/spec/fixtures/buildfiles/lockfile/.gitignore

@@ -0,0 +1,5 @@
+# Ignore Gradle project-specific cache directory
+.gradle
+
+# Ignore Gradle build output directory
+build